The Equifax Hack Conundrum

Friday, September 8, 2017

By April Glaser.

Will merely checking to see whether you were a victim of the breach waive your right to sue?

Late Thursday the credit reporting agency Equifax revealed that it was subject to one of the most damaging data breaches in recent memory: Intruders accessed up to 143 million Americans’ names, Social Security numbers, birthdates, and driver’s license numbers. Credit card numbers for about 209,000 consumers were also exposed, according to Equifax.

Equifax set up a website,, where you can check whether you’ve been affected. (And if you are an adult in the U.S., it’s a pretty safe bet that you were affected.) The company is also offering a year of free credit monitoring and identity theft protection, called TrustedID, for people who had their info stolen. (Whether such services really work is another matter.) TrustedID also appears to be running the part of that allows people to see whether they were impacted by the hack.

The problem with using Equifax’s free ID protection, though, is that in signing up, you have to agree to terms of service that appear to force you into arbitration and waive the right to participate in any class-action lawsuit against TrustedID, the credit monitoring service. (Arbitration is the technical term for settling a dispute outside of court.)…

Simply checking whether you were affected by the breach or signing up for TrustedID doesn’t automatically make you ineligible to participate in a class-action suit against Equifax about the breach. According to Robert Weissman, the president of Public Citizen, a prominent public-interest advocacy organization, those terms may mean instead that you can’t engage in a class action against TrustedID, the service that checks if you were a part of the breach.

Confused yet? So are the lawyers.

But if you’ve ever been a customer of Equifax, like by obtaining a credit report from the company, then you’ve already likely waived your right to sue Equifax with regard to the breach. That’s because Equifax has inserted a clause into its own terms of service that forces customers to go into arbitration, too. It’s confusing, because although the TrustedID’s terms of service—that’s the site used to check if you were a victim of the Equifax breach and obtain identity protection services—only appears to apply to TrustedID, Equifax itself has broadly worded terms of service that bar anyone who uses “all other websites owned and operated by Equifax and its affiliates” from engaging in class action, too.

But Equifax’s terms might not be enforceable anyway. As Joanne Doroshow, the executive director of the Center for Justice and Democracy at New York Law School explained to me, a clause in Equifax’s terms of service says that claims that fall under the Fair Credit Reporting Act are exempted. The FCRA is supposed to protect the privacy of information kept by consumer-reporting agencies like Equifax, which would mean that customers would not be forced to arbitration and thus could particulate in a class-action suit.

Click here for the full article.

Join Our Fight!

The Center for Justice & Democracy is the only national consumer organization in the country exclusively dedicated to protecting our civil justice system. If you'd like more information, please contact us.

Connect with us